For most of 2020, organizations have been forced to adapt to the operational challenges of employees working from home networks, often on personal computers, while accessing corporate data. A primary dilemma is balancing security vs. productivity. For example, according to the 2020 Verizon "Data Breach Investigations Report," 45% of breaches featured hacking and 22% included social engineering attacks. Attacks will likely continue to occur, especially with many remote workers remaining at home, and data breaches are expected to skyrocket.
There is a definite upside to remote work. Employees save time by not commuting, and many are able to focus and embrace collaboration tools for increased productivity. A remote workforce also enables organizations to reduce operational costs tied to physical office space. However, the trade-off for security professionals is that the corporate perimeter can no longer secure these employees, and home networks continue to present a significant security risk.
From my own conversations with clients, most organizations are implementing a combination of virtual private networks (VPN) and multifactor authentication (MFA) to secure the remote connections. To a lesser extent, some organizations may still be handcuffed to their existing virtual desktop infrastructure (VDI), but the user experience and performance can degrade, so most organizations avoid it. VDI is suitable for general office work but won't cut it for developers, designers, or anyone who needs a lot of processing power because all of the computing resources are pooled together for shared allocation.
As organizations have adapted to remote work and adopted new solutions, it's critical they understand how their architecture has changed in order to identify the evolving threat surface. But it's also important to realize that an IT architecture is like a fingerprint; there are some common types, but ultimately, they're unique. VPN is more effective for an on-premises environment, while MFA is more effective for a cloud-based setup.
Let's take VPNs as an example. The most straightforward use case of a VPN is to establish a secure connection to access corporate infrastructure. You're at home, on your own wireless network, but you connect through a VPN. The VPN is protected by a firewall device to access the corporate network. This model works well for organizations that have a data center and file servers on-site because they can still leverage their network perimeter to protect it.
However, VPN traffic can get more challenging when you consider the scale of larger organizations. Once hundreds of remote employees are connecting through VPN, the burden of moving data to a point which it can be distributed over network traffic can become significant. This is particularly true if an organization has very strict data loss protection controls — for example, if an employee working from home connects through a VPN but decides to browse Amazon during a coffee break, should your organization monitor and protect that traffic? Some organizations that are sensitive to risk will take on that burden, but an alternative approach is to utilize split tunneling, in which you route device or app traffic through the encrypted VPN tunnel while other devices or apps access the Internet directly to protect essential connections while allowing direct access to things such as social media and news.
On the other hand, there many companies have adopted a more cloud-native approach to their IT infrastructure. You can see this with services like Microsoft 365, Google Workspace, Salesforce, and cloud service providers like Microsoft Azure and Amazon EC3. Once an organization shifts to the cloud, there isn't much need for a VPN because these cloud service providers have commoditized a lot of traditional security controls, such as antivirus, email gateways, and Web traffic gateways. In addition, there really is no need to use a VPN to get into the corporate network if you're connecting to cloud services because none of the corporate data is actually inside the corporate network.
However, cloud services still represent a substantial threat surface, because if your access credentials get compromised, then someone can log in as you — and the 2020 Verizon "Data Breach Investigations Report" indicates how prevalent and successful phishing is as an attack vector. That's why MFA is so critical for helping secure this type of architecture. Typically, MFA requires the use of a text message or an authenticator app to enter a second validation code after the password.
MFA solutions have been evolving with the advent of zero-trust solutions focused on continuous conditional access. These sorts of solutions monitor user behavior and require reauthentication if an anomaly is detected — for example, if your credentials are used to log in from Europe when you've been working out of the United States. One nice thing about working with a cloud service provider like Microsoft Azure is that you can integrate your MFA with Active Directory to help enforce this sort of conditional access. Single sign-on solutions and identity and access management providers can also help this approach run smoothly — but again, every architecture is unique.
Unfortunately, there are issues. Many organizations had to stand up remote work infrastructure very quickly this year when the pandemic forced remote work, and that means many of them deployed a lot of singular solutions that may not necessarily integrate very well. Despite that, some organizations may not be able to secure on-premises environments with MFA because they can't integrate with their VPN. Early adopters of cloud services have found the transition to remote work more manageable because they had already been moving corporate assets beyond the perimeter. In this regard, the necessity of remote work has most certainly accelerated the adoption of cloud-native services.